Author Archive - Menard Osena (Senior Product Manager)

I attended the RSA 2014 Conference in San Francisco, which has held about two weeks ago. This year the conference offered new insights to today’s threat landscape, which will help us all plan for and protect users in 2014 and beyond.

Largest Security Conference of 2014

The attendance numbers for RSA are always impressive: this year had more than 25,000 attendees, 400+ sponsors and exhibitors, with more than 550 speakers. Such was the number of vendors that two large Exposition Halls – one each in the Moscone Center’s North and South buildings were used for vendor exhibits. The various sessions – including most of the technical track talks I attended – were in the Moscone West hall.

Earlier my colleague JM Hipolito shared her own thoughts about RSA; here is what I found most interesting there.

Opening Keynote: Finding a Path Forward in an Increasingly Conflicted Digital World

The Executive Chairman of RSA, Art Coviello, delivered the opening keynote. He gave his first public comment on the RSA and NSA controversy, as well as the need to separate the NSA’s offensive and defensive functions. But what I will remember most on his keynote is his call to governments and the security industry as a whole to adopt four guiding principles to help maintain a safer Internet for everyone:

Renounce the use of cyberweapons, and the use of the Internet for waging war

Cooperate internationally, in the investigation, apprehension and prosecution of cyber criminals

Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected

Respect and ensure the privacy of all individuals

He also reiterated the need for the security industry and governments to work hand in hand to create a safer digital world that will benefit this and the generations to come.

All of the guiding principles are all equally important, but I would like to highlight the first and second ones as being the most important.

The topic of cyberwar and cyberweapons is very sensitive, but I found the correlation between cyberweaponry and nuclear weapons compelling. I totally agree with Coviello’s statement that “we must have the same abhorrence to cyberwar as we do nuclear and chemical war.”

As for cooperation in prosecuting cybercrime, this is a topic where Trend Micro’s positions are well-known. We’ve frequently spoken about the need for researchers and law enforcement agencies to work together to prosecute the actual “threat actors”, as we believe that this is the most effective way to catch cybercriminals.

These partnerships allow researchers and police to combine their strengths and ensure that
Our efforts have netted effective results, most recently being the arrest of the creator of SpyEye.

Bitcoin Is Here: How to Become a Successful Bitcoin Thief

Uri Rivner of Biocatch and Etay Maor of Trusteer co-presented the one technical session at RSA dedicated to Bitcoins. They discussed the basics of cryptocurrency and how one can use it. They also discussed the usual use cases of Bitcoin: from creating a wallet and having your very own address, to filling the wallet with Bitcoins using an online Bitcoin exchange.

The highlight of the session for me was the a live demonstration of a hack using a SpyEye variant. In the demo, they performed a man-in-the-browser (MiTB) attack and stole the user’s Bitcoin from his wallet.

They also discussed the top cybercriminal activities that Bitcoin has been tied to. These include phishing attempts to steal Bitcoin-related website credentials, deploying RATs (Remote Access Trojans) to have direct access to desktop wallets, up to using botnets to mine Bitcoins (even though this is no longer particularly attractive).

They also explained why cybercriminals are interested in cryptocurrencies like Bitcoin. Because the cybercriminals believe that cryptocurrencies offers anonymity, they think that these will help in laundering money made from illegal activites. In addition, advanced services available in the cybecrime underground (like Bitcoin fogging services) may enable threat actors to further increase their anonymity tenfold.

In summary, the presenters said that Bitcoin is a new exciting frontier and encouraged everyone in the room to try and delve into it so that they understand its potential. They warned about the increasing phishing and malware attacks related to cryptocurrencies. They also pointed out that online Bitcoin exchanges and online wallets are low hanging fruit that may be a big opportunity for the cybercriminals. (The troubles of many online exchanges recently, including erstwhile leader Mt. Gox, have only reinforced this last point.)

The talk mirrored many of the points we have discussed. In December, we had discussed the possibility of Bitcoin’s then-record prices causing thefts of Bitcoin wallets. We had also earlier discussed how users can help secure their cryptocurrency. Overall, we share their sentiments: Bitcoin is the object of much potential, but is the subject of multiple threats as well.

Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.

Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.

The 7 Highly Effective Habits of a Security Awareness Program

Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.

They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:

Create a Strong Foundation

(Have) Organizational Buy-in

(Encourage) Participative Learning

(Have) More Creative Endeavors

Gather Metrics

Partner with Key Departments

Be the Department of HOW

My key takeaway for this session is of course the last part. We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.

While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.

World of Warcraft: Mists of Pandaria is the fourth expansion for the massively multiplayer online role-playing game (MMORPG) World of Warcraft. It was first unveiled to the public last October 2011 during the BlizzCon 2011 conference in Anaheim, California.

TrendLabs researchers started seeing increased phishing activity inside World of Warcraft after Blizzard started the closed beta testing for Mists of Pandaria last March 2012.

In these new rounds of phishing attempts, scammers are trying to abuse the WoW’s in-game mail system. In this phishing attempt, the malicious URLs are sent via in-game mail and are received by players in their in-game mailboxes.

In this phishing try, the scammer entices would-be victims to join the Mist of Pandaria beta testing and win an exclusive in-game item, the Dragon Turtle Mount, by visiting and registering in their website. The Dragon Turtle Mount was previously announced by Blizzard as the racial mount for the Pandarens, the new additional playable character race available in the Mist of Pandaria expansion.

The phishing URL in the in-game email goes to a phishing website that closely resembles the actual Battle.net website. The phishing URL tried to add some credibility by adding the string Mist of Pandaria abbreviation (MOP) to the domain name.

If unsuspecting users input their Battle.net credentials it will definitely result to Battle.net account theft. Battle.net is the central account management for all Blizzard games like World of Warcraft, Starcraft 2, and Diablo III.

In contrast to what we discussed in our previous World of Warcraft post, we observed that recent scamming attempts seem to be targeted at low level characters and not high level or level-capped (Level 85) ones. This may be part of the scam detection avoidance strategy of the bad guys, as high level characters may have more awareness to this security issue as they have spent more time in the game.

We analyzed the malicious domain further and found some great discovery: The same server also hosts other phishing sites targeting World of Warcraft players:

http://{BLOCKED}p.us-support.net

http://{BLOCKED}p.wow-support.net

http://for{BLOCKED}t-eu-wow-account-blizzard.com

http://for{BLOCKED}t-wow-us-account-blizzard.com

http://{BLOCKED}a-pandaria.net

The newly discovered malicious websites are using Mist of Pandaria, World of Warcraft, and their corresponding abbreviations in their URLs.

Trend Micro users need not worry about these threats, as they are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.

It is interesting to note that some of the phishing websites were registered just days after Blizzard announced that Mist of Pandaria will be the next World of Warcraft expansion. This clearly shows that the bad guys are up to date and are always in the lookout for events and opportunities to expand their nefarious schemes.

Blizzard on their part have stepped up their security measures. They have published a dedicated security page to help users understand their security commitment; raise awareness on different types of account thefts, highlight a gamer’s security checklist, and a step by step guide on what to do when users suspect that their account is being compromised.

Blizzard also promoted their authenticator (available as an app for iOS and Android devices, and as a keychain fob) by giving away an exclusive World of Warcraft Corehound pet to users availing the authentication services.

We also advice our readers, casual and hardcore gamers alike to view our latest Security and Gaming e-Guide to get helpful tips to help secure their online game experience.

In August 2011, we released our Snapshot of Android Threats, which stated that there was a significant increase in the number of Trojanized Android apps and actual malware targeting the Android platform.

In our continuous monitoring of this threat, we soon noticed that the problem was growing at an alarming rate. From a mere handful of malicious apps at the start of the year, it skyrocketed to more than a thousand malicious Android apps by the middle of December 2011. The average month-on-month growth rate for the second half of 2011 was more than 60%.

If this growth rate is sustained this year, then 2012 will definitely be an “exciting” year for Android. Why is this so? If current trends hold, we may be able to see more than 120,000 malicious Android apps by December.

There are several factors that are causing this explosive growth:

The increasing popularity of Android, as highlighted both by the number of total downloaded apps (more than 10 billion via the official Android Market) and the number of users and activations, as stated by Gartner and Google Senior Vice President of Mobile Andy Rubin.

The openness of the Android app distribution model. Unlike other mobile OSes, users are free to install applications without passing through any filtering process. This lowers the barriers to installing malicious apps considerably.

The cybercriminal mindset: Bad guys attack where the money is.

2011 already saw a wide variety of threats emerge for Android, as we discussed in our year in review. Android malware is definitely here to stay for 2012.

Like my colleagues, I also attended RSA 2011 Conference in San Francisco last week. As they have shared in their posts on the hackers and threats sessions, I would like to share some of my experiences and learnings on sessions involving social media, spies and security.

Mapping an Organization’s DNA Using Social Media

Abhilash Sonwane of Cyberoam discussed the findings of their research involving 20 random small and medium companies across the globe. His team tracked the social media activities of these companies’ employees via Facebook, Twitter and LinkedIn streams. This was done without employing any malicious tactics such as spear phishing or malware infection.

It is interesting to know that by simply correlating the employees’ social media presence, the researchers were able to map the DNA of the company. By DNA, we pertain to a collection of data like the morale of employees and the company as a whole. This includes sensitive information such as who makes the buying decisions. While such information per se may not be directly related to any kind of threat, it can be used by competitors (and potentially, the bad guys) to their advantage.

My key takeaway from this session is that it is very important for companies to strive to create a balance between the benefits and risks of social media. Companies should have solid social media policies to raise awareness among employees about its proper use and corresponding challenges. Furthermore, to cover both internal and external risks, social media policies should be aligned with technology solutions that security companies offer.